title: File and Directory Discovery
id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
status: experimental
description: Detects usage of system utilities to discover files and directories
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
logsource:
  category: process_creation
  product: macos
detection:
  file_with_asterisk:
    Image: '/usr/bin/file'
    CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
  recursive_ls:
    Image: '/bin/ls'
    CommandLine|contains: '-R'
  find_execution:
    Image: '/usr/bin/find'
  mdfind_execution:
    Image: '/usr/bin/mdfind'
  tree_execution|endswith:
    Image: '/tree'
  condition: 1 of them
falsepositives:
  - Legitimate activities
level: informational
tags:
  - attack.discovery
  - attack.t1083